detect/profile: add support for tx inspection

Add 'inspect_type' "packet" and "tx" for the two record types. Add more metadata
when available.

diff --git a/src/detect-engine-profile.c b/src/detect-engine-profile.c
index 349081185ad82dc751db083e8bbf254fb84d28c8..3fcc2a6b32f6b20e4b52c7766928b1cdefc89884 100644 (file)
--- a/src/detect-engine-profile.c
+++ b/src/detect-engine-profile.c
@@ -35,6 +35,51 @@
 #ifdef PROFILING
 SCMutex g_rule_dump_write_m = SCMUTEX_INITIALIZER;
 
+void RulesDumpTxMatchArray(const DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh,
+        const Packet *p, const uint64_t tx_id, const uint32_t rule_cnt,
+        const uint32_t pkt_prefilter_cnt)
+{
+    JsonBuilder *js =
+            CreateEveHeaderWithTxId(p, LOG_DIR_PACKET, "inspectedrules", NULL, tx_id, NULL);
+    if (js == NULL)
+        return;
+
+    jb_set_string(js, "app_proto", AppProtoToString(p->flow->alproto));
+
+    jb_open_object(js, "inspectedrules");
+    jb_set_string(js, "inspect_type", "tx");
+    jb_set_uint(js, "rule_group_id", sgh->id);
+    jb_set_uint(js, "rule_cnt", rule_cnt);
+    jb_set_uint(js, "pkt_rule_cnt", pkt_prefilter_cnt);
+    jb_set_uint(js, "non_pf_rule_cnt", det_ctx->non_pf_store_cnt);
+
+    jb_open_array(js, "rules");
+    for (uint32_t x = 0; x < rule_cnt; x++) {
+        SigIntId iid = det_ctx->tx_candidates[x].id;
+        const Signature *s = det_ctx->de_ctx->sig_array[iid];
+        if (s == NULL)
+            continue;
+        jb_append_uint(js, s->id);
+    }
+    jb_close(js); // close array
+    jb_close(js); // close inspectedrules object
+    jb_close(js); // final close
+
+    const char *filename = "packet_inspected_rules.json";
+    const char *log_dir = ConfigGetLogDirectory();
+    char log_path[PATH_MAX] = "";
+    snprintf(log_path, sizeof(log_path), "%s/%s", log_dir, filename);
+
+    SCMutexLock(&g_rule_dump_write_m);
+    FILE *fp = fopen(log_path, "a");
+    if (fp != NULL) {
+        fwrite(jb_ptr(js), jb_len(js), 1, fp);
+        fclose(fp);
+    }
+    SCMutexUnlock(&g_rule_dump_write_m);
+    jb_free(js);
+}
+
 void RulesDumpMatchArray(const DetectEngineThreadCtx *det_ctx,
         const SigGroupHead *sgh, const Packet *p)
 {
@@ -42,9 +87,15 @@ void RulesDumpMatchArray(const DetectEngineThreadCtx *det_ctx,
     if (js == NULL)
         return;
 
+    if (p->flow) {
+        jb_set_string(js, "app_proto", AppProtoToString(p->flow->alproto));
+    }
+
     jb_open_object(js, "inspectedrules");
+    jb_set_string(js, "inspect_type", "packet");
     jb_set_uint(js, "rule_group_id", sgh->id);
     jb_set_uint(js, "rule_cnt", det_ctx->match_array_cnt);
+    jb_set_uint(js, "non_pf_rule_cnt", det_ctx->non_pf_store_cnt);
 
     jb_open_array(js, "rules");
     for (uint32_t x = 0; x < det_ctx->match_array_cnt; x++) {
@@ -72,4 +123,4 @@ void RulesDumpMatchArray(const DetectEngineThreadCtx *det_ctx,
     SCMutexUnlock(&g_rule_dump_write_m);
     jb_free(js);
 }
-#endif /* PROFILING */
\ No newline at end of file
+#endif /* PROFILING */

diff --git a/src/detect-engine-profile.h b/src/detect-engine-profile.h
index 55d64d1dda4f7f5d0a481d70a57f86dee1b7f3d8..cd5ec046175d29a32f4a98d7f4ab35f52e031620 100644 (file)
--- a/src/detect-engine-profile.h
+++ b/src/detect-engine-profile.h
@@ -24,6 +24,9 @@
 #ifndef _DETECT_ENGINE_PROFILE_H
 #define        _DETECT_ENGINE_PROFILE_H
 
+void RulesDumpTxMatchArray(const DetectEngineThreadCtx *det_ctx, const SigGroupHead *sgh,
+        const Packet *p, const uint64_t tx_id, const uint32_t rule_cnt,
+        const uint32_t pkt_prefilter_cnt);
 void RulesDumpMatchArray(const DetectEngineThreadCtx *det_ctx,
         const SigGroupHead *sgh, const Packet *p);
 

diff --git a/src/detect.c b/src/detect.c
index ebd4a379718cbd7f588c6e3c3f7b21b6a309fb71..884dae8e657ff0114fd52a452f85f6b5e87a9e0c 100644 (file)
--- a/src/detect.c
+++ b/src/detect.c
@@ -1419,7 +1419,10 @@ static void DetectRunTx(ThreadVars *tv,
                         tx.tx_ptr, tx.tx_id, array_idx - old);
             }
         }
-
+#ifdef PROFILING
+        if (array_idx >= de_ctx->profile_match_logging_threshold)
+            RulesDumpTxMatchArray(det_ctx, scratch->sgh, p, tx.tx_id, array_idx, x);
+#endif
         det_ctx->tx_id = tx.tx_id;
         det_ctx->tx_id_set = 1;
         det_ctx->p = p;